Re: thorny (for me) permissions problem
On Tue, Oct 07, 2008 at 08:54:36AM -0400, John Almberg wrote: The following permissions problem has me stumped: 1. User A uploads a file (using ftp) to the server, into a directory called 'data' owned by user B. Permissions on directory set to allow this, like this: drwxrwxr-x 2 user_b user_b 512 Oct 7 08:40 data This aimplies that User A's account is in group user_b. 2. A cron job, run by user B, then processes the file 3. When the processing is complete, the cron job needs to delete the file from the server 4. however, after upload, the file has the ownership A:B (i.e, owned by A, group B) with permissions -rw-r--r--. So B does not have permission to delete the file. This doesn't make sense. Any user in group B (the group that's assigned to the data directory) should be able to remove files in that directory. That means: 1) Any user in the group called user_b, 2) The user user_b himself. See below. The ftp user can manually change the permissions on the file to -rw- rw-r--, but I do not want to depend on the user remembering to change permissions. If he forgets, the cronjob will process the file over and over again. I need the server to handle this, so it gets done correctly 100% of the time. B does not have sufficient permissions to delete the file or change it's permissions. The only thing I can think of is to have ANOTHER cron job, run by A, run every few minutes to check for the existence of a file, and change the permissions so B can delete it. But this smells like a kludge to me. Is there a correct way to handle this? For instance, is there something I can set in A's profile, so when he uploads a file, the group permission is set to rw? That would be a nice clean way to do it, but I can't find anything like that. What you're describing is understandable, but something is wrong with the setup or description of the problem. Here's proof of what I'm talking about: # egrep 'somegroup' /etc/group somegroup:*::bob,jim # id bob uid=2000(bob) gid=1000(users) groups=1000(users),(somegroup) # id jim uid=2001(jim) gid=1000(users) groups=1000(users),(somegroup) Both of these users are in group somegroup. So let's make some directories and files: drwxrwxr-x 2 jim somegroup 2 Oct 7 06:22 data/ -rw-r- 1 bob somegroup 0 Oct 7 06:22 data/somefile In this scenario, user jim will be able to remove somefile, as can be seen here: # su jim % id -a uid=2001(jim) gid=1000(users) groups=1000(users),(somegroup) % ls -l total 1 -rw-r- 1 bob somegroup 0 Oct 7 06:22 somefile % rm somefile override rw-r- bob/somegroup for somefile? y % ls -l total 0 So, possibly the FTP server you're using does not inherit users groups, only GIDs? -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: thorny (for me) permissions problem
Hello mr. John, On Tue, Oct 7, 2008 at 2:54 PM, John Almberg [EMAIL PROTECTED] wrote: The following permissions problem has me stumped: 1. User A uploads a file (using ftp) to the server, into a directory called 'data' owned by user B. Permissions on directory set to allow this, like this: drwxrwxr-x 2 user_b user_b 512 Oct 7 08:40 data 2. A cron job, run by user B, then processes the file 3. When the processing is complete, the cron job needs to delete the file from the server 4. however, after upload, the file has the ownership A:B (i.e, owned by A, group B) with permissions -rw-r--r--. So B does not have permission to delete the file. -rw-r--r-- 1 user_a user_b 154879 Oct 7 08:40 data_file.csv The ftp user can manually change the permissions on the file to -rw-rw-r--, but I do not want to depend on the user remembering to change permissions. If he forgets, the cronjob will process the file over and over again. I need the server to handle this, so it gets done correctly 100% of the time. B does not have sufficient permissions to delete the file or change it's permissions. The only thing I can think of is to have ANOTHER cron job, run by A, run every few minutes to check for the existence of a file, and change the permissions so B can delete it. But this smells like a kludge to me. Is there a correct way to handle this? For instance, is there something I can set in A's profile, so when he uploads a file, the group permission is set to rw? That would be a nice clean way to do it, but I can't find anything like that. Any help, much appreciated. -- John Depends on what ftp daemon you use. All the ftp server programs have a way to enforce the umask. See http://en.wikipedia.org/wiki/Umask for a better understanding to what umask is. all the best, v ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: thorny (for me) permissions problem
4. however, after upload, the file has the ownership A:B (i.e, owned by A, group B) with permissions -rw-r--r--. So B does not have permission to delete the file. -rw-r--r-- 1 user_a user_b 154879 Oct 7 08:40 data_file.csv Hi John. Correct me if I am wrong but permission to delete a file depends on the users permissions for the containing directory. If B has write permission on the directory then B can delete the file. However you will likely need to use 'rm -f'. Regards. Jeremy. On Tue, Oct 7, 2008 at 1:54 PM, John Almberg [EMAIL PROTECTED] wrote: The following permissions problem has me stumped: 1. User A uploads a file (using ftp) to the server, into a directory called 'data' owned by user B. Permissions on directory set to allow this, like this: drwxrwxr-x 2 user_b user_b 512 Oct 7 08:40 data 2. A cron job, run by user B, then processes the file 3. When the processing is complete, the cron job needs to delete the file from the server 4. however, after upload, the file has the ownership A:B (i.e, owned by A, group B) with permissions -rw-r--r--. So B does not have permission to delete the file. -rw-r--r-- 1 user_a user_b 154879 Oct 7 08:40 data_file.csv The ftp user can manually change the permissions on the file to -rw-rw-r--, but I do not want to depend on the user remembering to change permissions. If he forgets, the cronjob will process the file over and over again. I need the server to handle this, so it gets done correctly 100% of the time. B does not have sufficient permissions to delete the file or change it's permissions. The only thing I can think of is to have ANOTHER cron job, run by A, run every few minutes to check for the existence of a file, and change the permissions so B can delete it. But this smells like a kludge to me. Is there a correct way to handle this? For instance, is there something I can set in A's profile, so when he uploads a file, the group permission is set to rw? That would be a nice clean way to do it, but I can't find anything like that. Any help, much appreciated. -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: thorny (for me) permissions problem
On Oct 7, 2008, at 9:34 AM, Jeremy Hooks wrote: 4. however, after upload, the file has the ownership A:B (i.e, owned by A, group B) with permissions -rw-r--r--. So B does not have permission to delete the file. -rw-r--r-- 1 user_a user_b 154879 Oct 7 08:40 data_file.csv Hi John. Correct me if I am wrong but permission to delete a file depends on the users permissions for the containing directory. If B has write permission on the directory then B can delete the file. However you will likely need to use 'rm -f'. Argh As a newbie admin, I really have a tough time with permissions. I swear I got a permissions error when I tried to delete this dang file, but I just logged in as B and was able to delete it just fine. Of course this is because B owns the directory. I guess I must have done something boneheaded an hour or two ago... gosh, I hate wasting time. Mine, and the lists, of course. Well, thanks to Valintin, I did figure out how to change the umask for pure-ftpd. So now uploaded files have the permissions I wanted, even if they are not needed. And thanks to the rest, I figured out it was working all along... And now I can't even duplicate the error I saw before... sigh Does this ever get any easier??? How can any one person remember all this stuff??? -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: thorny (for me) permissions problem
On Tue, Oct 07, 2008 at 10:23:53AM -0400, John Almberg wrote: On Oct 7, 2008, at 9:34 AM, Jeremy Hooks wrote: 4. however, after upload, the file has the ownership A:B (i.e, owned by A, group B) with permissions -rw-r--r--. So B does not have permission to delete the file. -rw-r--r-- 1 user_a user_b 154879 Oct 7 08:40 data_file.csv Hi John. Correct me if I am wrong but permission to delete a file depends on the users permissions for the containing directory. If B has write permission on the directory then B can delete the file. However you will likely need to use 'rm -f'. Argh As a newbie admin, I really have a tough time with permissions. I swear I got a permissions error when I tried to delete this dang file, but I just logged in as B and was able to delete it just fine. Of course this is because B owns the directory. I guess I must have done something boneheaded an hour or two ago... gosh, I hate wasting time. Mine, and the lists, of course. Well, thanks to Valintin, I did figure out how to change the umask for pure-ftpd. So now uploaded files have the permissions I wanted, even if they are not needed. Be careful with what you've done. If you changed the umask on the ftpd as a whole, then suddenly unrelated users are going to find their files writeable by whatever group/GID they default to. For example, on my systems, everyone's default group is users, and I definitely would not want group-write set to files people upload on their accounts! The idea of a user being able to edit or zero out other users' data is not good. But that's also what the underlying directory permissions are for... As you've learned/remembered today. :-) And thanks to the rest, I figured out it was working all along... And now I can't even duplicate the error I saw before... sigh Does this ever get any easier??? How can any one person remember all this stuff??? It gets easier with time; don't rush yourself. :-) Even those of us who have been using UNIX for almost 20 years forget the simplest of things on a regular basis. Be sure to let us know when you make the infamous rm -fr typo that nukes either / or ~. :-) -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: thorny (for me) permissions problem
Well, thanks to Valintin, I did figure out how to change the umask for pure-ftpd. So now uploaded files have the permissions I wanted, even if they are not needed. Be careful with what you've done. If you changed the umask on the ftpd as a whole, then suddenly unrelated users are going to find their files writeable by whatever group/GID they default to. A good point. The default group for my users is their own group... i.e., user_a's default group is user_a, so that should not be a problem, but why give away more rights than necessary? So, I've put the pure-ftpd umask back to 137:077 (this inverted octal was a brain twister until I had my second cup of coffee :-), retested, and it all works the way I wanted it to. Three hours gone, but I guess I learned a few things, which I have documented in my Solutions Log. By the way, for any Mac users on the list, I highly recommend Yojimbo as a Solutions Log. Yojimbo is a program that's hard to explain, but incredibly useful. It is basically a place that you can throw all sorts of useful information, such as notes on how to solve things you've already figured out (I hate having to figure things out twice), PDFs, book marks, whole web pages (archived), emails (archived), passwords (encrypted)... any information that you want to be able to find easily in the future. You can 'tag' each bit of information with as many keywords as you want. Then, when you need to retrieve some vital bit of information, it has a search engine that lets you find it quickly. It sounds trivial, when you read it, but I don't know any other tool that lets you store so many types of documents in the same place, with such easy retrieval. Anyway, that's my tip of the day. Thanks to everyone for the help. Now I just need to catch up on the rest of the day's work! -- John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
